README.md

Portfolio

Below a curated collection of my most relevant contributions to Web3 security: public contests and private audits whose clients kindly agreed to share reports publicly.

• 10/24 Kakarot (L2 - Cairo0) - 🏅1st place in team RadiantLabs, report
• 8/24 Reserve Core (DeFi - Go) - 🏅1st place in team RadiantLabs, report
• 7/24 Optimism Superchain (L2 - Solidity) - 🏅1st place in team RadiantLabs, report
• 5/24 Canto (Cosmos SDK - Go) on Code4rena - winnings forfeited for judging:
  • Incomplete "cosmos.msg.v1.signer" protobuf annotation causes the "MsgSwapOrder" message to fail
  • Govshuttle module does not register its transaction MsgServer
  • Incorrect names provided in RegisterConcrete calls break LegacyAmino signing method
  • QA report
• 4/24 Renzo (Restaking - Solidity) on Code4rena - 🏅1st place in team LessDupes, report
• 12/23 Ethereum Credit Guild (Staking app - Solidity) on Code4rena - 7th place:
  • Double-counting of reward realization in ERC20RebaseDistributor self-transfers exposes distribution funds to theft and insolvency
  • Updates to "creditMultiplier" can prevent bidding to pre-existing loan auctions
  • Newly created lending markets can be bricked by burning credit tokens
  • New distributions create unwanted fat-tail dilution of previous distributions
  • Rounding errors can cause ERC20RebaseDistributor transfers and mints to fail for underflow
  • ProfitManager's "creditMultiplier" calculation does not count undistributed rewards; this can cause value losses to users
• 11/23 usemoon.ai (Wallet backend - TypeScript/Go) private audit in solo: report
• 10/23 Party Protocol (Governance app - Solidity) on Code4rena - 🥉3rd place:
  • A host can abuse "abdicateHost" to inflate arbitrarily the number of hosts that voted a proposal
  • ETHCrowdfundBase.delegationsByContributor can be manipulated via zero-value front-running donations
  • PartyGovernanceNFT advertises but does not honor the ERC-4906 standard
  • PartyGovernanceNFT.rageQuit burns tokens without honoring minWithdrawAmounts when amounts to be transferred are zero
  • ETH Crowdfunds that aim at raising exact amounts and require a minimum contribution can be bricked
  • QA report
• 9/23 Maia DAO Ulysses (LayerZero app - Solidity) on Code4rena - 4th place:
  • Permissionless VirtualAccount.payableCall enables direct theft of assets
  • Several instances of assumptions on LayerZero refundee can lead to refunded tokens being permanently locked
  • Unused native tokens airdropped to RootBridgeAgent and BranchBridgeAgent are exposed to theft
  • Messages under-funded in remote gas temporarily halt Agents' communication via LayerZero
  • Incorrect source address decoding in RootBridgeAgent and BranchBridgeAgent’s _requiresEndpoint breaks LayerZero communication
  • QA report
• 8/23 GoodEntry (Uniswap V3 app - Solidity) on Code4rena - 🏅1st place:
  • TokenisableRange's incorrect accounting of non-reinvested fees in "deposit" exposes the fees to a flash-loan attack
  • V3Proxy swapTokensForExactETH does not send back to the caller the unused input tokens
  • Incorrect Solidity version in FullMath.sol can cause permanent freezing of assets for arithmetic underflow-induced revert
  • New from fees rework: fees can still be stolen with a flash-loan on GeVault
  • : Incorrect boundaries check in GeVault's "getActiveTickIndex" can temporarily freeze assets due to Index out of bounds error
  • V3 Proxy does not send funds to the recipient, instead it sends to the msg.sender
  • User can steal refunded underlying tokens from initRange operation inside RangeManager
  • Transaction origin check in ROE Markets make Options positions opened by contract users impossible to reduce or close
  • UniswapV3 trading fees are always locked in treasury instead of going back to the protocol users through GeVault
  • QA report
• 6/23 Canto (Cosmos SDK - Go) on Code4rena - 🥉3rd place:
  • DefaultMaxSwapAmount is 10x higher than spec for ETH

Blog posts

• 2023-10-26 Testing for audits: there is no spoon

CTF challenges authored

• Proof of work @ ONLYPWNER.xyz
• Liquid Staking @ ONLYPWNER.xyz
• Seal 911 @ ONLYPWNER.xyz